Run a VPN Diagnostic Report on a Cloud-Managed Firebox

Applies To: Cloud-managed Fireboxes

This feature is only available to participants in the WatchGuard Cloud Beta program.

The VPN Diagnostic Report contains information that can help you troubleshoot VPN connectivity and routing issues. You can run this report while you send traffic through the tunnel to identify VPN issues. For some types of issues, the report contains information about how to resolve the issue.

To run the VPN diagnostic report for a cloud-managed Firebox, you can connect to Fireware Web UI on the Firebox. For information about Fireware Web UI, see About Fireware Web UI for a Cloud-Managed Firebox.

Run a VPN Diagnostic Report

To run a VPN Diagnostic Report, you must connect to the Firebox and log in to Fireware Web UI.

To log in to Fireware Web UI:

  1. From a computer on a network connected to the Firebox, open a web browser.
  2. In the web browser, go to https://<firebox IP address>>:8080.
    The Fireware Web UI login page appears.
  3. Log in with the user name admin and the Admin Password you set for this device in WatchGuard Cloud.

To run the VPN Diagnostic Report

  1. In Fireware Web UI, select Diagnostics.
  2. Select the VPN tab.
    The VPN diagnostic report options appear.

Screen shot of the Diagnostic Tasks > VPN page

  1. From the Gateway drop-down list, select a VPN.
  2. In the Duration text box, type the number of seconds to run the VPN Diagnostic Report.
  3. Click Start Report.
    The diagnostic task starts.

The Firebox collects log messages for the duration you specified. When the task is completed, details about the gateway and tunnel configuration and information about the status of any active tunnels for the selected gateway appear in the Results section. The log level is then returned to the previously set level.

VPN Diagnostic Report Details

The VPN Diagnostic Report includes these sections:


This is the complete report summary and can include information about actions you can take to resolve any issues identified by the report. For each tunnel route, the report shows whether the tunnel route was established, whether traffic was detected after the report started, and error messages related to the tunnel. Some error messages include information about what you can do to correct a problem with the VPN tunnel.

Gateway Summary

This is a summary of the gateway configuration and each configured gateway endpoint.

Tunnel Summary

This is a summary of the tunnel configuration for all tunnels that use the selected gateway. This includes both active and inactive tunnels.

Run-time Info (bvpn routes)

This section only appears when you run the diagnostic report for a branch office VPN virtual interface. It includes the static and dynamic routes that use the BOVPN virtual interface, and the metric for each route.

Run-time Info (gateway IKE_SA)

The status of the IKE (Phase 1) security association for the gateway.

Run-time Info (tunnel IPSEC_SA)

The status of the IPSec tunnel (Phase 2) security association for active tunnels that use the gateway.

Run-time Info (tunnel IPSec_SP)

The status of the IPSec tunnel (Phase 2) security policy for active tunnels that use the gateway.

Address Pairs in Firewalld

The status of the address pairs for each tunnel. This section does not appear when you run the report for a branch office VPN virtual interface, or a BOVPN for a cloud-managed Firebox.

Policy checker result

The policies that manage inbound and outbound traffic for each tunnel route.

Related Logs

If tunnel negotiation occurs while the Diagnostic Report runs, the tunnel negotiation log messages appear in this section. If the remote device attempts to negotiate or rekey the tunnel while the report runs, the log messages that appear in this section include more informative details.

See Also

About WatchGuard Cloud

Recover the Firebox Connection to WatchGuard Cloud